5

After a lot of frustration, I've finally cracked my local Windows 10 password using mimikatz to extract the proper NTLM hash.

In particular, samdump2 decrypted the SAM hive into a list of users with "blank" passwords:

samdump2 system sam -o out

I.e., admin:1001:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

Conversely, mimikatz succeeded in outputting the proper NTLM hash:

mimikatz # lsadump::sam /system:C:\system /sam:C:\sam

I.e.,

RID  : 000003e9 (1001)
User : admin
  Hash NTLM: f1320e0960da374b88e40cffbec44885

The problem with mimikatz is that AVs flag it as malware the moment it gets download.

Are there other tools available that can run on Linux that may decrypt the SAM file properly after Windows 10 anniversary update?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Shuzheng
  • 1,097
  • 4
  • 22
  • 37
  • Can't you simply whitelist that software in your AV? – forest Apr 17 '18 at 09:48
  • @forest - Yes, I can. But I really want to be able to decrypt the SAM hive on my Kali box instead. – Shuzheng Apr 17 '18 at 09:49
  • Are you just asking for a way to crack NTLM hashes on Kali Linux? – forest Apr 17 '18 at 09:51
  • 1
    I can easily crack the NTLM hashes on Kali using john. However, conventional tools like samdump2 fails in decrypting the SAM hive to reveal the NTLM hashes. I'm looking for a substitute for samdump2 with support for Windows 10... – Shuzheng Apr 17 '18 at 09:53
  • @user111854 why does it have to be specifically on Win 10? It sounds like you want to crack them on the same machine... – sir_k Apr 17 '18 at 10:10
  • 1
    @FlorinCoada - Yes, I can crack them on the same machine (i.e., Windows 10). However, I'd rather not use mimikatz... – Shuzheng Apr 17 '18 at 10:47
  • 1
    The question is valid. A predecessor step - open the SAM hive - is required before the NTLM hashes are available. Mimikatz can do this, but the question is looking for ways to open the SAM hive when not on the original Windows OS at all, sidestepping the need for mimikatz. – Royce Williams Apr 17 '18 at 21:04
  • 1
    @RoyceWilliams - Thanks! This is exactly what I'm asking... If you know where to look up the details of how the SAM hive is formatted / encrypted, I might be able to write a new tool. Where can I find this information, do you know that? – Shuzheng Apr 18 '18 at 06:51
  • Boot Mimikatz from a USB PE environment or close Disk and use offline windows computer. – eckes Apr 19 '18 at 02:19

1 Answers1

3

secretsdump.py from impacket works. It ships with Kali as impacket-secretsdump. After extracting the SAM and SYSTEM hives from Windows/System32/config, you can use it like this:

impacket-secretsdump -sam SAM -system SYSTEM LOCAL

dogelition_man
  • 31
  • 2